为阿里云云产品配置访问ACK集群的RBAC权限

ACK支持基于Kubernetes原生的RBAC(Role-Based Access Control)授权机制。RBAC授权支持为不同用户赋予同一集群内的Kubernetes资源不同的操作权限。其他阿里云产品访问ACK集群时,您可以为云服务绑定指定的RBAC角色,使得相关云服务通过服务角色所对应的RBAC权限访问集群内部资源,从而实现集群资源权限的隔离和权限最小化。

注意事项

  • 默认情况下,ACK集群不会主动创建云服务RBAC角色,只有在您授权相关云产品的服务角色并使用云服务指定功能时,由相关云服务触发创建RBAC角色及授权绑定操作。

  • 云产品指定的RBAC角色绑定名称格式固定为:${服务英文缩写}-${服务角色名称}-clusterrolebinding${服务英文缩写}-${服务角色名称}-rolebinding

  • 本文提供的RBAC角色仅用于云产品指定功能的最小化权限访问,不会影响您正常业务的RBAC授权。

  • 您可以开启集群API Server审计日志,并在审计日志中根据RBAC角色绑定的subjects字段确定绑定的对象名称,然后通过对象名称检索指定云产品对集群内资源访问的审计日志。具体操作, 请参见使用集群API Server审计功能

云产品服务角色权限策略

当您为云产品授予下表中指定的云产品服务角色后,云产品默认会根据表格中服务角色对应的RBAC权限访问容器服务ACK集群的资源。

说明

下表中,权限作用范围列表示该权限生效的范围,可能为集群级别(cluster)或命名空间级别(namespace)。

云产品

服务角色名称

权限作用范围

RBAC权限策略

应用实时监控服务ARMS

arms-aliyunserviceroleforarms-clusterrolebinding

cluster

arms-aliyunserviceroleforarms-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: arms-aliyunserviceroleforarms-clusterrole
rules:
  - apiGroups: ["vector.oam.dev"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["o11y.aliyun.dev"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["nodes/metrics"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["limitranges"]
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources: ["cronjobs", "jobs"]
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests"]
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses","volumeattachments"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps","extensions"]
    resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"]
    verbs: ["*"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["*"]
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"]
    verbs: ["*"]
  - apiGroups: ["monitor.aliyun.com"]
    resources: ["alicloudpromrules","alicloudpromrules/status"]
    verbs: ["*"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["rolebindings","roles","clusterroles","clusterrolebindings"]
    verbs: ["*"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies","ingresses","ingressclasses"]
    verbs: ["*"]
  - apiGroups: ["apps.kruise.io"]
    resources: ["statefulsets"]
    verbs: ["*"]
  - apiGroups: ["nsm.alibabacloud.com"]
    resources: ["networkservices"]
    verbs: ["*"]
  - nonResourceURLs:
      - "/metrics"
    verbs:
      - get
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    verbs: ["create"]
  - apiGroups: ["log.alibabacloud.com"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["telemetry.alibabacloud.com"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]

开源大数据开发平台E-MapReduce

emr-aliyunemronackdefaultrole-clusterrolebinding

cluster

emr-aliyunemronackdefaultrole-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: emr-aliyunemronackdefaultrole-clusterrole
rules:
- apiGroups: [""]
  resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","persistentvolumes","persistentvolumeclaims"]
  verbs: ["*"]
- apiGroups: ["apps"]
  resources: ["deployments", "daemonsets", "statefulsets"]
  verbs: ["*"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
  verbs: ["*"]
- apiGroups: ["sparkoperator.k8s.io"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["flink.apache.org"]
  resources: ["*"]
  verbs: ["*"]

阿里云云安全中心

sas-aliyunserviceroleforsas-clusterrolebinding

cluster

sas-aliyunserviceroleforsas-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sas-aliyunserviceroleforsas-clusterrole
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["policygovernance-yundun-config"]
    verbs: ["get", "update", "patch"]
  - apiGroups: [""]
    resources: ["services","pods"]
    verbs: ["list"]  
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["list"] 
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["list"] 

云数据库Tair

tair-aliyunserviceroleforkvstore-clusterrolebinding

cluster

tair-aliyunserviceroleforkvstore-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tair-aliyunserviceroleforkvstore-clusterrole
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
      - mutatingwebhookconfigurations
    verbs:
      - get
      - list

tair-aliyunserviceroleforkvstore-clusterrolebinding

ack-tair namespace

tair-aliyunserviceroleforkvstore-role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tair-aliyunserviceroleforkvstore-role
  namespace: ack-tair
rules:
  - apiGroups:
    - batch
    resources:
    - jobs
    verbs:
    - get
    - list
    - create
    - delete
  - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create
    - patch
    - get
    - list
  - apiGroups:
    - apps
    resources:
    - statefulsets
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - configmaps
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - pods/exec
    - pods/portforward
    - pods/proxy
    verbs:
    - create
    - get
  - apiGroups:
    - ""
    resources:
    - services
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - services/proxy
    verbs:
    - create
    - get
  - apiGroups:
    - tair.alibabacloud.com
    resources:
    - tairclusters
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - tair.alibabacloud.com
    resources:
    - tairclusters/finalizers
    verbs:
    - update
  - apiGroups:
    - tair.alibabacloud.com
    resources:
    - tairclusters/status
    verbs:
    - get
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - persistentvolumeclaims
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - persistentvolumeclaims/status
    verbs:
    - get
  - apiGroups:
    - scheduling.sigs.k8s.io
    resources:
    - reserveresourcesets
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch

企业级分布式应用服务EDAS

edas-aliyunedasdefaultrole-clusterrolebinding

cluster

edas-aliyunedasdefaultrole-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: edas-aliyunedasdefaultrole-clusterrole
rules:
  - apiGroups: [ "" ]
    resources: [ "nodes", "nodes/stats" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "" ]
    resources: [ "pods", "pods/exec", "pods/log", "pods/status", "limitranges", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "secrets", "bindings", "resourcequotas", "serviceaccounts", "componentstatuses", "events", "persistentvolumeclaims", "persistentvolumes", "replicationcontrollers","podtemplates" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "apps" ]
    resources: [ "deployments","daemonsets","statefulsets","replicasets","deployments/scale","statefulsets/scale","statefulsets/status","deployments/status","controllerrevisions" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "extensions" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: ["batch"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [ "events.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["edas.aliyun.oam.com"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["autoscaling"]
    resources: ["*"]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: ["oam-domain.alibabacloud.com" ]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["core.oam.dev"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["flagger.app"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [ "keda.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "log.alibabacloud.com" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "clm.cloudnativeapp.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "monitoring.coreos.com" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "admissionregistration.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "extension.oam.dev" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "authentication.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [ "networking.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "scheduling.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "scheduling.sigs.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "snapshot.storage.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "storage.alibabacloud.com" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "storage.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "certificates.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "flowcontrol.apiserver.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "policy" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "authorization.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "external.metrics.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - nonResourceURLs: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "keda.sh" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "alibabacloud.com" ]
    resources: [ "albconfigs" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
  - apiGroups: [ "autoscaling.alibabacloud.com" ]
    resources: [ "advancedhorizontalpodautoscalers" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] 
  - apiGroups: [ "metrics.alibabacloud.com" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "metrics.k8s.io" ]
    resources: [ "pods","nodes" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "coordination.k8s.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "apps.kruise.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "edas.alibabacloud.com" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "istio.aliyun.cloud.com" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "nacos.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]

云数据库RDS

aliyunmybasecpaasdefaultrole-clusterrolebinding

cluster

rds-aliyunmybasecpaasdefaultrole-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: rds-aliyunmybasecpaasdefaultrole-clusterrole
rules:
- apiGroups:
  - ''
  resources:
  - nodes
  - namespaces
  - resourcequotas
  - limitranges
  - nodes/metrics
  - replicationcontrollers
  - nodes/proxy
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - ''
  resources:
  - services
  - configmaps
  - secrets
  - pods
  - pods/log
  - pods/exec
  - endpoints
  - persistentvolumes
  - persistentvolumeclaims
  - events
  verbs:
  - '*'
- apiGroups:
  - ''
  resources:
  - serviceaccounts
  verbs:
  - list
  - get
  - watch
  - create
- apiGroups:
  - ''
  resourceNames:
  - mybase-operator
  - polardbx-operator
  - pre-install-kibana-kibana
  - filebeat-filebeat
  - post-delete-kibana-kibana
  resources:
  - serviceaccounts
  verbs:
  - '*'
- apiGroups:
  - '*'
  resources:
  - namespaces
  verbs:
  - patch
  - list
  - create
  - watch
  - get
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - '*'
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - controllerrevisions
  - replicasets
  verbs:
  - '*'
- apiGroups:
  - apps
  resourceNames:
  - filebeat-filebeat
  - logstash-logstash
  - kibana-kibana
  - elasticsearch-master
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - replicasets
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - '*'
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - controllerrevisions
  - replicasets
  verbs:
  - '*'
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - events.k8s.io
  resources:
  - events
  verbs:
  - '*'
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  - clusterrolebindings
  - roles
  - rolebindings
  verbs:
  - list
  - get
  - watch
  - create
- apiGroups:
  - rbac.authorization.k8s.io
  resourceNames:
  - mybase-operator
  - polardbx-operator
  - polardbx-controller-manager
  - mybase-monitoring
  - filebeat-filebeat-role
  - filebeat-filebeat-role-binding
  - filebeat-filebeat-cluster-role
  - filebeat-filebeat-cluster-role-binding
  - pre-install-kibana-kibana
  - post-delete-kibana-kibana
  resources:
  - clusterroles
  - clusterrolebindings
  - roles
  - rolebindings
  verbs:
  - '*'
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - list
  - get
  - watch
  - create
- apiGroups:
  - apiextensions.k8s.io
  resourceNames:
  - mybaseappinstancebackuppolicies.apps.k8s.mybase.aliyun.com
  - mybaseappdefinitions.apps.k8s.mybase.aliyun.com
  - mybaseappinstanceops.apps.k8s.mybase.aliyun.com
  - mybaseappinstances.apps.k8s.mybase.aliyun.com
  - polardbxbackupbinlogs.polardbx.aliyun.com
  - polardbxbackups.polardbx.aliyun.com
  - polardbxbackupschedules.polardbx.aliyun.com
  - polardbxclusterknobs.polardbx.aliyun.com
  - polardbxclusters.polardbx.aliyun.com
  - polardbxlogcollectors.polardbx.aliyun.com
  - polardbxmonitors.polardbx.aliyun.com
  - polardbxparameters.polardbx.aliyun.com
  - polardbxparametertemplates.polardbx.aliyun.com
  - systemtasks.polardbx.aliyun.com
  - xstorebackups.polardbx.aliyun.com
  - xstorefollowers.polardbx.aliyun.com
  - xstores.polardbx.aliyun.com
  resources:
  - customresourcedefinitions
  verbs:
  - '*'
- apiGroups:
  - monitoring.coreos.com
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - apps.k8s.mybase.aliyun.com
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - polardbx.aliyun.com
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - v1.admission.polardbx.aliyun.com
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - apiregistration.k8s.io
  resources:
  - apiservices
  verbs:
  - list
  - get
  - watch
  - create
- apiGroups:
  - apiregistration.k8s.io
  resourceNames:
  - v1.admission.polardbx.aliyun.com
  resources:
  - apiservices
  verbs:
  - '*'
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - list
  - get
  - watch
  - create
- apiGroups:
  - admissionregistration.k8s.io
  resourceNames:
  - polardbxcluster-mutate.polardbx.aliyun.com
  - polardbxcluster-validate.polardbx.aliyun.com
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - '*'
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - update
  - delete
  - patch
  - create
  - list
  - get
  - watch
- nonResourceURLs:
  - /metrics
  verbs:
  - get

云监控

aliyunserviceroleforcloudmonitor-clusterrolebinding

cluster

cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole
rules:
  - apiGroups: ["vector.oam.dev"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["o11y.aliyun.dev"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["nodes/metrics"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["limitranges"]
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources: ["cronjobs", "jobs"]
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests"]
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses","volumeattachments"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps","extensions"]
    resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"]
    verbs: ["*"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["*"]
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"]
    verbs: ["*"]
  - apiGroups: ["monitor.aliyun.com"]
    resources: ["alicloudpromrules","alicloudpromrules/status"]
    verbs: ["*"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["rolebindings","roles","clusterroles","clusterrolebindings"]
    verbs: ["*"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies","ingresses","ingressclasses"]
    verbs: ["*"]
  - apiGroups: ["apps.kruise.io"]
    resources: ["statefulsets"]
    verbs: ["*"]
  - apiGroups: ["nsm.alibabacloud.com"]
    resources: ["networkservices"]
    verbs: ["*"]
  - nonResourceURLs:
      - "/metrics"
    verbs:
      - get
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    verbs: ["create"]
  - apiGroups: ["log.alibabacloud.com"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["telemetry.alibabacloud.com"]
    resources: ["*"]
    verbs: ["*"]

微服务引擎MSE

mse-aliyunserviceroleformse-clusterrolebinding

cluster

mse-aliyunserviceroleformse-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mse-aliyunserviceroleformse-clusterrole
rules:
  # base
  - apiGroups: [""]
    resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]

  # ingress
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses", "ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["*"]

  # Use for Kubernetes Service APIs
  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
    resources: ["*"]
    verbs: ["*"]

  # CRD
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]

  # istio
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries" ]
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries/status" ]
 
  # demo
  - apiGroups: [""]
    resources: ["services", "namespaces"]
    verbs: ["get", "list", "watch", "create"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create"]

mse-aliyunserviceroleformsediagnosis-clusterrolebinding

cluster

mse-aliyunserviceroleformsediagnosis-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mse-aliyunserviceroleformsediagnosis-clusterrole
rules:
  # base
  - apiGroups: [ "" ]
    resources: [ "nodes", "nodes/stats" ]
    verbs: [ "get", "watch" ]
  - apiGroups: [ "" ]
    resources: [ "pods", "pods/exec", "pods/log", "pods/status", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "componentstatuses", "events","podtemplates" ]
    verbs: [ "get", "watch", "create"]
  - apiGroups: [ "apps" ]
    resources: [ "deployments","daemonsets","statefulsets","replicasets","statefulsets/status","deployments/status" ]
    verbs: [ "get", "watch", "create"]

API网关

apig-aliyunservicerolefornativeapigw-clusterrolebinding

cluster

apig-aliyunservicerolefornativeapigw-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: apig-aliyunservicerolefornativeapigw-clusterrole
rules:
  # base
  - apiGroups: [""]
    resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]

  # ingress
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses", "ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["*"]

  # Use for Kubernetes Service APIs
  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
    resources: ["*"]
    verbs: ["*"]

  # CRD
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]

  # istio
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries" ]
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries/status" ]
 
  # demo
  - apiGroups: [""]
    resources: ["services", "namespaces"]
    verbs: ["get", "list", "watch", "create"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create"]

日志服务SLS

sls-aliyunserviceroleforslsaudit-clusterrolebinding

cluster

sls-aliyunserviceroleforslsaudit-role

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sls-aliyunserviceroleforslsaudit-role
rules:
  - apiGroups:
    - "*"
    resources:
    - "*"
    verbs:
    - get
    - list
    - watch
  - apiGroups: 
    - "*"
    resources: 
    - namespaces
    - deployments
    - serviceaccounts
    - clusterroles
    - clusterrolebindings
    - daemonsets
    - services
    - aliyunlogconfigs
    verbs: 
    - create
    - patch
    - delete
  - nonResourceURLs:
    - /metrics
    verbs:
    - get

检索分析服务Elasticsearch

elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding

captain-system namespace

elasticsearch-aliyunserviceroleforelasticsearchcollector-role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role
  namespace: captain-system
rules:
  - apiGroups:
      - ""
    resources:
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
      - secrets
      - services/proxy
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
    verbs:
      - impersonate
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - replicationcontrollers
      - replicationcontrollers/scale
      - secrets
      - serviceaccounts
      - services
      - services/proxy
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - replicasets
      - replicasets/scale
      - statefulsets
      - statefulsets/scale
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - ingresses
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - networkpolicies
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - persistentvolumeclaims/status
      - pods
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - services/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - bindings
      - events
      - limitranges
      - namespaces/status
      - pods/log
      - pods/status
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - controllerrevisions
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - replicasets
      - replicasets/scale
      - replicasets/status
      - statefulsets
      - statefulsets/scale
      - statefulsets/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
      - horizontalpodautoscalers/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - cronjobs/status
      - jobs
      - jobs/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - ingresses
      - ingresses/status
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicasets/status
      - replicationcontrollers/scale
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - poddisruptionbudgets/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - ingresses/status
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - authorization.k8s.io
    resources:
      - localsubjectaccessreviews
    verbs:
      - create
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - rolebindings
      - roles
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - app.alauda.io
    resources:
      - helmrequests
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch

elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding

logging namespace

elasticsearch-aliyunserviceroleforelasticsearchcollector-role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role
  namespace: logging
rules:
  - apiGroups:
      - ""
    resources:
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
      - secrets
      - services/proxy
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
    verbs:
      - impersonate
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - replicationcontrollers
      - replicationcontrollers/scale
      - secrets
      - serviceaccounts
      - services
      - services/proxy
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - replicasets
      - replicasets/scale
      - statefulsets
      - statefulsets/scale
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - ingresses
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - networkpolicies
    verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - persistentvolumeclaims/status
      - pods
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - services/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - bindings
      - events
      - limitranges
      - namespaces/status
      - pods/log
      - pods/status
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - controllerrevisions
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - replicasets
      - replicasets/scale
      - replicasets/status
      - statefulsets
      - statefulsets/scale
      - statefulsets/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
      - horizontalpodautoscalers/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - cronjobs/status
      - jobs
      - jobs/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - ingresses
      - ingresses/status
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicasets/status
      - replicationcontrollers/scale
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - poddisruptionbudgets/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - ingresses/status
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - authorization.k8s.io
    resources:
      - localsubjectaccessreviews
    verbs:
      - create
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - rolebindings
      - roles
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - app.alauda.io
    resources:
      - helmrequests
      - releases
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - elasticsearch.kubernetes.aliyun.com
    resources:
      - logcollectors
      - indexlifecyclebindings
      - indexlifecyclepolicies
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - beat.kubernetes.aliyun.com
    resources:
      - beats
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch

elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrolebinding

cluster

elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole
rules:
  - apiGroups: [""]
    resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets"]
    verbs: ["get", "list", "watch", "patch", "update", "create"]
  - apiGroups: ["apps"]
    resources: ["replicasets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["app.alauda.io"]
    resources: ["helmrequests"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

人工智能平台PAI

pai-aliyunpaidlcdefaultrole-clusterrolebinding

cluster

pai-aliyunpaidlcdefaultrole-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pai-aliyunpaidlcdefaultrole-clusterrole
rules:
  - apiGroups: [ "" ]
    resources: [ "secrets", "secrets/status", "services", "namespaces", "endpoints", "serviceaccounts", "configmaps/status",
                 "persistentvolumes", "persistentvolumes/status", "events", "events/status", "persistentvolumeclaims", "pods", "pods/log", "replicationcontrollers", "bindings",
                 "limitranges", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "" ]
    resources: [ "serviceaccounts" ]
    verbs: [ "impersonate" ]
  - apiGroups: [ "" ]
    resources: [ "configmaps", "pods", "services", "secrets", "endpoints", "configmaps" ]
    verbs: [ "*" ]
  - apiGroups: [ "" ]
    resources: [ "pods/status","pods/binding", "namespaces/status", "persistentvolumeclaims/status", "replicationcontrollers/scale",
                 "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "services/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "" ]
    resources: [ "nodes", "nodes/status" ]
    verbs: [ "create", "delete", "update", "get", "list", "watch", "patch", "deletecollection" ]
  - apiGroups: [ "apps" ]
    resources: [ "statefulsets", "daemonsets", "deployments", "controllerrevisions", "replicasets" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "apps" ]
    resources: [ "statefulsets/status", "daemonsets/status", "deployments/scale", "deployments/status",
                 "replicasets/scale", "replicasets/status", "statefulsets/scale", "deployments/rollback" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "rbac.authorization.k8s.io" ]
    resources: [ "clusterrolebindings", "clusterroles", "roles", "roles/status", "rolebindings", "rolebindings/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "authentication.k8s.io" ]
    resources: [ "tokenreviews" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "authorization.k8s.io" ]
    resources: [ "subjectaccessreviews" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "admissionregistration.k8s.io" ]
    resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "networking.k8s.io" ]
    resources: [ "ingresses", "ingresses/status", "networkpolicies" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "apiextensions.k8s.io" ]
    resources: [ "customresourcedefinitions" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "batch" ]
    resources: [ "jobs", "cronjobs", "jobs/status", "cronjobs/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "batch/v1" ]
    resources: [ "jobs" ]
    verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "autoscaling" ]
    resources: [ "horizontalpodautoscalers", "horizontalpodautoscalers/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "coordination.k8s.io" ]
    resources: [ "leases", "leases/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "coordination.k8s.io" ]
    resources: [ "leases" ]
    verbs: [ "*" ]
  - apiGroups: [ "data.fluid.io" ]
    resources: [ "datasets", "datasets/status", "jindoruntimes", "jindoruntimes/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "extensions" ]
    resources: [ "replicasets", "replicasets/status", "daemonsets", "daemonsets/status", "deployments",
                 "deployments/scale", "deployments/status", "deployments/rollback", "ingresses", "ingresses/status", "networkpolicies",
                 "replicasets/scale", "replicationcontrollers/scale" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "metrics.k8s.io" ]
    resources: [ "nodes", "pods" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "kubeflow.org" ]
    resources: [ "tfjobs", "pytorchjobs", "tfjobs/status", "pytorchjobs/status", "mpijobs", "mpijobs/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "xdl.kubedl.io" ]
    resources: [ "xdljobs", "xdljobs/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "xgboostjob.kubeflow.org" ]
    resources: [ "xgboostjobs", "xgboostjobs/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "events.k8s.io" ]
    resources: [ "events" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "policy" ]
    resources: [ "poddisruptionbudgets", "poddisruptionbudgets/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "apps.kruise.io" ]
    resources: [ "statefulsets" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "scheduling.alibabacloud.com" ]
    resources: [ "gpudevices", "allocgroups", "allocgroups/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "gputopology.kubedl.io" ]
    resources: [ "gputopologies" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "storage.k8s.io" ]
    resources: [ "storageclasses", "csinodes", "volumeattachments" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "scheduling.k8s.io" ]
    resources: [ "priorityclasses" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "scheduling.x-k8s.io" ]
    resources: [ "queueunits", "queueunits/status", "queues" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "scheduling.sigs.k8s.io" ]
    resources: [ "elasticquotatrees" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "certificates.k8s.io" ]
    resources: [ "certificatesigningrequests", "certificatesigningrequests/approval", "signers" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "approve" ]
  - apiGroups: [ "discovery.k8s.io" ]
    resources: [ "endpointslices" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "monitoring.coreos.com" ]
    resources: [ "servicemonitors" ]
    verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection"]
  - apiGroups: [ "inference.kubedl.io" ]
    resources: [ "elasticbatchjobs", "elasticbatchjobs/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "gateway.solo.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "argoproj.io" ]
    resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers",
                 "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "paiflow.alibaba-inc.com" ]
    resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers",
                   "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers",
                "workfloweventbindings", "workfloweventbindings/finalizers" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "dlc.alibaba.com" ]
    resources: [ "datasources", "datasources/status", "dlcinstanceresourcepatches", "dlcinstanceresourcepatches/status",
                 "dlcinstances", "dlcinstances/status", "resourcegroups", "resourcegroups/status", "tensorboards", "tensorboards/status"]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "eas.alibaba-inc.k8s.io" ]
    resources: [ "resourcemigrations", "resourcemigrations/status", "tenantresources", "tenantresources/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "paiflow.pai.alibaba-inc.com" ]
    resources: [ "aiworkspaces" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "gloo.solo.io", "enterprise.gloo.solo.io", "graphql.gloo.solo.io" ]
    resources: [ "*" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "ratelimit.solo.io" ]
    resources: [ "ratelimitconfigs","ratelimitconfigs/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "dsw.alibaba.com" ]
    resources: [ "dswinstances", "dswinstances/status", "idleinstancecullers", "idleinstancecullers/status",
                 "images", "images/status", "notebooks", "notebooks/status", "credentials", "credentials/status",
                 "nasvolumes", "nasvolumes/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: [ "training.pai.alibaba-inc.com" ]
    resources: [ "trainingjobs", "trainingjobs/status" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
  - apiGroups: ["scheduling.sigs.k8s.io"]
    resources: ["podgroups"]
    verbs: ["get", "delete"]

云原生应用组装平台

bizworks-aliyunserviceroleforbizworks-clusterrolebinding

cluster

该角色权限为最高权限,可安装任意Helm Chart。

bizworks-aliyunserviceroleforbizworks-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bizworks-aliyunserviceroleforbizworks-clusterrole
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

自定义云产品访问ACK集群的RBAC权限

如果您需要自定义阿里云产品对ACK集群资源的操作权限,可通过配置指定阿里云产品在集群中对应的ClusterRole实现。您需要在ClusterRole中添加Annotation inner.service.alibabacloud.com/user-customized: true,并在rules字段下自定义权限策略。示例如下。

重要

对指定RBAC角色的自定义修改可能会影响对应云产品相关功能的正常使用,具体影响请提交工单咨询对应云产品的技术支持人员。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    inner.service.alibabacloud.com/user-customized: true
  name: test-aliyunserviceroleforarms-clusterrole
rules:
- apiGroups:
  - test
  resources:
  - '*'
  verbs:
  - '*'
...

配置禁止云产品访问ACK集群的权限

  • 参见自定义云产品访问ACK集群的RBAC权限,在指定云产品对应的ClusterRole中增加Annotation inner.service.alibabacloud.com/user-customized: true ,同时删除rules字段下所有权限,即可清除云产品对ACK集群的所有访问权限。

  • RAM控制台上删除云产品对应的RAM服务角色,也可以禁止该云产品对ACK集群进行访问。具体操作,请参见删除RAM角色